Please report security vulnerabilities to security@ainfera.ai (or hi@ainfera.ai if security@ is unavailable).

Do not open a public GitHub issue for security-sensitive reports.

When reporting, please include:

• The repository and version (commit SHA if possible)
• A description of the issue and its impact
• Steps to reproduce
• Any suggested mitigation, if known

• Acknowledgement within 3 business days
• Initial assessment within 7 business days
• Coordinated disclosure: we'll work with you on a timeline before any public discussion

This policy covers code in this repository. For vulnerabilities in the Ainfera platform itself (api.ainfera.ai, app.ainfera.ai), please report the same way — we'll route internally.

• Denial-of-service via brute-force traffic against public endpoints
• Reports from automated scanners without a demonstrated exploit
• Issues in dependencies we don't pin (file with the upstream maintainer)

We don't run a paid bounty at this time. We do publicly credit researchers who report responsibly, with their permission.